Exploring key privacy law frontiers

Remarks at McGill University Faculty of Law

January 21, 2013
Montreal, Quebec

Address by Patricia Kosseim
Senior General Counsel and Director General, Legal Services, Policy and Research Branch
and Kirk Shannon
Legal Counsel, Legal Services, Policy and Research Branch

(Check against delivery)


Introduction

Thank you Jonathan for that kind introduction. And on behalf of the Privacy Commissioner of Canada, thank you to McGill Faculty of Law, her alma mater and mine, for the invitation to be here. I would like to introduce Kirk Shannon from our Legal Services team who is also a graduate from McGill Law School. I am delighted to be back in Moot Court which brings back many fond memories!

My remarks this evening will focus on some challenging privacy issues that are currently facing us in a rapidly changing environment.

Privacy and Law enforcement

Here in Canada, there is no question that privacy is a cherished legal concept which is deserving of utmost protection from the state.  Privacy was a core issue in Hunter vs Southam, one of the first significant Charter cases to be decided by the Supreme Court of Canada. Writing in 1984 for a unanimous Court, Chief Justice Brian Dickson identified the protection of privacy as an integral part of the Charter-protected guarantee against unreasonable search and seizure.

Yet individuals have the right only to a reasonable expectation of privacy, not an absolute right.  As Dickson observed:

“An assessment must be made as to whether in a particular situation the public’s interest in being left alone by government must give way to the government’s interest in intruding upon the individual’s privacy in order to advance its goals, notably those of law enforcement...” 

This interplay between meaningful privacy and effective security remains a fundamental question in all open, democratic societies and continues to lie at the root of many of today’s privacy issues. True, much has changed since the oft-quoted excerpt of the House of Lords dating back to the Semayne's Case in 1604, which first enunciated the concept of “a man's home (a)s his castle".  LaForest J., among other Supreme Court Justices citing this famous case added that “even the King himself ha(s) no right to invade the sanctity of the home without the authority of a judicially-issued warrant”.

Lawful Access to Subscriber Information

But how to transpose this principle in the modern context of law enforcement?   The question of “lawful access” to telecommunications subscriber information is currently before Parliament in Bill C-30. This Bill seeks to give law enforcement the power to access – without a warrant – subscriber information from internet service providers, including an IP address – which is the online equivalent of a fingerprint. C-30 is the latest incarnation of a longstanding drive to expand and modernize the state’s legal tools to conduct surveillance and access private information.

Our Office understands the practical challenges faced by law enforcement and national security authorities in today’s modern era of evolving communications technologies.

But Bill C-30 raises serious privacy concerns.

In particular, we are concerned about state access, without a warrant, to subscriber information including an IP address. As Bill C-30 currently stands, the broad powers given to law enforcement would not be sufficiently limited or subject to adequate judicial oversight.  Indeed, these powers to compel production of certain personal information could be used against any law-abiding citizen.

Interception of Text Messages

Another example of lawful access in the modern realm of telecommunications services, involves the case of Telus v. The Queen, heard by the Supreme Court of Canada in October. The outcome could have profound implications for the privacy of anyone who uses text messaging, which I assume is a medium of choice for many of you here.

At the core of the argument is the type of warrant that must be used by the state to collect text messages for investigative purposes: a General Warrant or the higher threshold of a Wiretap Authorization.  This is a very technical legal argument under the Criminal Code, to be sure – but an issue that has serious privacy implications.

The issue in the case at hand arose when police in Owen Sound, Ontario served Telus with a General Warrant and related Assistance Order requiring the company to turn over, every day, all text messages sent and received between two Telus subscribers. The Warrant was issued on a prospective basis – for example, seeking access to text messages sent in the two weeks following the release of the order. 

The police were to be given the texts within hours of transmission, whether or not they had been received by the particular Telus client.

Telus took the position that the Crown should have to follow the more onerous procedure of obtaining a Wiretap Authorization under the Criminal Code because police were effectively “intercepting” the messages in real-time, by gaining access to them even before the intended recipients in some cases.

However, given the fact that Telus, unlike some of its competitors, routinely archives customers’ text messages on its servers, the Crown argued that the police request wasn’t “interception” of real-time private communications. Rather, the police were simply seeking access to stored data, requiring only the easier-to-obtain general warrant.

An Ontario Superior Court Justice accepted the Crown’s position and Telus obtained leave to appeal directly to the Supreme Court.

In its intervention, the Canadian Civil Liberties Association framed the core argument as follows:

Is texting like an oral phone conversation? Yes. If the police obtain your texts from the telephone company who transmits them, is that the same as listening in on your conversation? Yes. Is your expectation of privacy the same? Yes. Should the protection of your privacy be the same? Yes.

This serves as another example demonstrating the continuing challenge of ensuring meaningful individual privacy while still providing law enforcement with adequate tools to do their job.

Private Sector Privacy

In addition to privacy issues involving the state versus the individual, our Office also has a mandate to regulate privacy in the private sector. One of our most pressing challenges is how to protect children and youth from the risks posed by emerging information technologies – technologies which were not even dreamt of by the framers of Canada’s privacy laws.

Protection of Children and Youth from Cyberbullying

The Supreme Court of Canada echoed these concerns in a decision rendered last September in which our Office was an intervener.  The case of A.B v Bragg Communications involved the cyberbullying of a 15-year-old girl by someone who set up a fake Facebook profile using a variation of her name, along with some unflattering commentary and some sexually explicit references.

Through her father, A.B. sought access to the identity of the individual associated with the IP address, which in turn was connected with the fake Facebook profile.  While Facebook was prepared to give A.B. the individual’s IP address, she still needed the telecom provider, Bragg Inc. in this case, to provide her with the identity of the associated individual(s).  The organization, citing its obligations under the federal privacy law, was prepared to hand it over but only on production of a court order.  A.B. brought a preliminary motion before the court asking for a disclosure order, but also requested that she be allowed to proceed with her motion under a pseudonym (A.B.) and that the court grant a publication ban on the content of the fake Facebook profile.

Two lower courts both granted the disclosure request but denied the requests for anonymity and a publication ban. They cited A.B’s failure to submit evidence of specific harm to justify either request.

Writing for a unanimous Court, Justice Abella disagreed with the lower courts, holding that evidence of specific harm was unnecessary in this case.  Abella J. held that both courts failed to consider the objectively discernible harm to A.B.  Taking a common-sense approach, “it was logical to infer that children may suffer harm through cyberbullying.” 

The Supreme Court of Canada held that the interests of privacy and the protection of children from cyberbullying justified restrictions on freedom of the press and open courts.  In their evaluation, granting A.B. anonymity would cause minimal harm to freedom of the press and the open courts principle, compared with the salutary effects of protecting children from the greater harm of online cyberbullying, the risks of re-victimization upon publication and the potential chilling effect on child victims seeking access to justice.

This Supreme Court decision shows that courts are beginning to understand and accept the context of the Internet age.  New information technologies facilitate virtually unrestricted access to personal information by a vast public with insatiable appetite for accessing such information and wide ranging motivations for using it.  And while we must embrace the potential of such technology to improve our standard of living, to uncover new forms of knowledge and to forge new relationships, we must be cautious regarding its potential adverse effects, precisely because online content can be spread widely, quickly and anonymously. This can have profound and long-lasting impacts on the most vulnerable Canadians, particularly children and youth.  

Protection of personal information online

 But children and youth are not the only ones vulnerable to the risks of online privacy.   A decade ago, personal information was confined to determinate and well-defined data-sets. But today, the concept of personal information is much broader.  Indeed, some contend that personal information even includes a network-specific IP address or the unique identifier for a smartphone.  A key question many experts are asking today is when does information about ‘things’ also implicate information about people, particularly as individuals become increasingly connected personally, physically, emotionally and geographically to their technical devices? And when does disparate information being collected for the purpose of online behavioural advertising become personal? These remain open questions that have yet to be settled by the courts.

That said, the definition of personal information will receive an airing here in Canada at the Supreme Court this coming June, when the Court hears a case from the Alberta Court of Appeal: the United Food and Commercial Workers Case.  

This case arose from a strike by members of the UFCW at a casino where the union videotaped and photographed people crossing the picket line with a threat of posting images of “scab” workers on the internet.  Complaints were lodged with the Alberta Privacy Commissioner about alleged misuse of personal information.

The Court of Appeal unanimously found that provisions of Alberta’s Personal Information Protection Act breached the union’s freedom of expression found in section 2(b) of the Canadian Charter of Rights and Freedoms. The Court found that the privacy interest being protected here is minimal. The persons videotaped were in a public place and expectations were considered quite low in the circumstances:

Members of the public cannot ... have a reasonable expectation that they can live their lives in total anonymity. People do not have a right to keep secret everything they do in public, such as crossing picket lines. There is no recognized right to withhold consent to the dissemination of information about unpleasant conduct. Holding people accountable for what they do or do not do in public is a component of the right to free expression.

Our Office has supported the position taken by the Alberta Privacy Commissioner in this matter.

We support a broader definition of personal information particularly in the age of Big Data where more and more information is being uploaded and shared than we could have ever imagined. And while the accumulation of data is staggering, it actually pales in comparison to the escalating technological capacity to sort through it, make connections and find patterns.

As Canada Research Chair in Information Law Theresa Scassa has noted – as this capacity increases and the longer information is retained – the greater the likelihood of it being matched and processed with other data.  As a result, “identification that is impossible today may indeed be easy tomorrow.” Taking a narrower view of personal information, be it in the courts or in legislation, may disadvantage Canadians by affording them less privacy protection in a global society where other jurisdictions are increasingly taking a broader view of personal information.

Legal remedies for Privacy Breaches

Right now, at the federal level, Canada is already falling behind many other countries in our ability (or lack thereof) to deter bad privacy practices. On the private sector side, our Office’s strongest lever comes unfortunately only after-the-fact, such as when we make our investigation reports and findings public. While we can take matters to Federal Court for a de novo review, we ourselves lack legislated authority to make orders, impose sanctions, levy fines or award damages for non-compliance. In other words, we lack the full range of tools needed to truly incentivize organizations to prevent such occurrences, from happening again in the future – or better yet –  from happening in the first place.

On the public sector side, the Privacy Act currently provides no judicial recourse at all, in cases involving improper use or disclosure of personal information held by federal institutions. 

Quite apart from statutory remedies, however, there are other possible legal avenues which have been attracting attention as of late.

Tort of Intrusion upon Seclusion

The first concerns a common law remedy for tortious or extra-contractual wrongdoings against an individual’s right to privacy.

An interesting case in point is the Jones v. Tsige case released by the Ontario Court of Appeal a year ago. It involved two women who were both employees of the same bank. The defendant, Tsige, was found responsible for repeatedly accessing the personal banking information of the complainant, Jones, who was the ex-wife of Tsige’s spouse.

The defendant did not use or share the information with anyone else, and the complainant did not incur any financial losses.

Nevertheless, the Ontario Court of Appeal issued a unanimous decision that the plaintiff had suffered harm and should be compensated with $10,000 in damages.

Citing a trend in case law, as well as the constitutional protection of privacy recognized by the Supreme Court of Canada, the Court identified a right to bring a civil action for damages for the invasion of privacy. The Court called this new common law cause of action “the tort of intrusion upon seclusion.”

Privacy class action lawsuits

A second new potential legal tool is the rising interest in class action lawsuits seeking to compensate an entire class of individuals for damages suffered during major privacy breaches.

Canadian experience so far suggests this is an uncertain tool for advancing privacy rights. Generally speaking privacy class actions are at an early stage in Canada.

And Canadian courts have not yet deliberated on the substantive issues related to certification or the merits of a privacy class action claim.  As you may have recently heard, several privacy class action lawsuits have recently been filed as a result of the recent HRSDC breach involving Canada’s Student Loan program affecting over half-a-million Canadians who took university loans between 2000 and 2006. Among the causes of action cited are: negligence, breach of contract, breach of trust and intrusion upon seclusion.   

A key issue for our Office is whether class actions can serve as a meaningful tool for achieving reasonable compensation for the damages that individuals suffer in privacy breaches. Also, just as important is whether any awards or settlements from precedent-setting class action lawsuits will finally capture the attention of defendants and other similarly-situated organizations and institutions.  In the end, is it the financial and reputational impact that will bring about the increased investments needed to ensure privacy protection and  reduce the risk of such incidents from reoccurring in the future?

Conclusion

Let us leave you with some closing thoughts.  First, it’s very clear that information technologies and further innovations in telecommunications can be the game-changing drivers that will lead to very positive developments for society. At the same time however, we have to consider the full breadth of their growing capacity and effects; as do our legislators and the courts. 

The Internet and social media have in some ways made people closer than they have ever been before, but at the same time have created a sense of false intimacy. In other words, people interact with their devices while they are ostensibly alone, and although they may intend to share personal information with specific friends or for specific purposes, in fact, comments made in the moment may live on forever and may be viewed by millions.

Some commentators have credited social media tools with empowering whole populations to rise up in the face of authoritarian regimes, yet the activities of online behavioural advertisers put nearly all users under a constant form of stealth surveillance.

Whereas law enforcement stakeholders have raised concerns about how criminals can use new technology to facilitate their activities, the solution they seek may potentially provide them with the master-key to unlock other personal information about any law-abiding citizens, whether or not accused of crime, and without any judicial oversight.

All told, the opportunities afforded by new technologies to facilitate communications, commerce, marketing and law enforcement need to evolve hand in hand with a thoughtful public discourse on their potential impacts for society, including  the right to privacy.  This is what our office strives to do every day in the ongoing hope  - not of hindering – but rather, of adding value to – technological innovation and encouraging organizations, governments and individuals to find well-balanced solutions that benefit the broader public interest. 

Thank you and we look forward to discussion.

Date modified: